CVE-2025-30947

Vulnerability

Overview

The Cool fade popup WordPress plugin (versions up to and including 10.1) contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This flaw arises from insufficient input validation and sanitization before user-supplied data is incorporated into database queries [1].

Exploitation

Details

An unauthenticated attacker can exploit this vulnerability remotely by sending crafted requests to the affected plugin. Since the SQL injection is blind, the attacker does not receive direct error messages but can infer information from the application's response behavior. The official advisory categorizes this vulnerability as High severity with a CVSS v3 score of 8.5 [1].

Impact

Successful exploitation allows an attacker to interact directly with the WordPress database behind the affected site. This could lead to the extraction of sensitive information, including user credentials, personal data, and other stored content. The advisory notes that such vulnerabilities are often used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Mitigation

Status

Users are strongly advised to immediately update the plugin to a patched version (beyond 10.1) if available. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. No workaround other than updating has been documented in the advisory [1].